Trainer Name: Riddhi Shree

Title: SecQAtion 2.0: Smart Automation for Identifying Web Security Vulnerabilities

Duration: 4 days (4 hrs each day)

Dates: May 10, 2022 To May 13, 2022

Time: 10 a.m. To 2 p.m. IST

Sold Out

Training Objective

The purpose of this training is to demonstrate ways to improve efficiency when testing an application for security vulnerabilities. Described methods could be used easily by security engineers, quality analysts, developers or anyone interested in finding security flaws in a target web application.

If you wish to explore the power of automation using open source tools, this training is for you. The capabilities can be further extended by integrating your favorite paid tools, if desired.

By the end of this training, you will have a working code that can be used for running some initial checks on your target Web application. You will also learn skills that would allow you to easily extend the code and customize it as per your needs.

Training level: Intermediate

Training preview

Training outline

Day 1:
  • The problem statement, and an overview of suggested solution
  • General understanding of security testing approach
  • Introduction to robot framework
  • Robot framework in action
  • Basic elements of robot framework
Day 2:
  • Understanding the need for an intercepting proxy tool
    Mitmproxy vs. Burp Suite
  • Configure robot framework to intercept API requests and responses
  • Case Study: Attacking DVWA with help of robot framework
Day 3:
  • Quick review of Docker and Docker Compose
  • Building a Jenkins CI/CD pipeline
  • Securely serving the test report on cloud
  • Leveraging HTTPolice
  • Enabling parallel processing using pabot
Day 4
  • Quick review of basics of Python programming
  • Creating custom keywords library
  • Case Study: A demonstration of various attack/analysis scenarios using our automation framework

What to Bring?

Following needs to be installed on your laptop/computer:

Training prerequisites

It would be an advantage if you are comfortable in following areas:

  • Writing Python functions
  • Writing Dockerfile, Jenkinsfile
  • Using Docker and Docker Compose
  • Running AWS CLI commands

Who Should Attend?

  • Security Engineers
  • Quality Analysts
  • Developers
  • Anyone interested in finding security flaws in Web applications, in an efficient and repeatable manner

What to Expect?

  • Gain an understanding of how to use the open source robot framework to your advantage as a security analyst
  • Hands-on experience of semi-automated security testing approach

What attendees will get?

  • Pre-configured Virtual Machine
  • Well-documented steps for hands-on exercises
  • Training presentation

What not to expect?

Do not expect the trainer to troubleshoot issues during software installation. Bring an up-to-date laptop and ensure your system supports installation of listed software’s.

About the Trainer

Riddhi Shree, is an information security enthusiast, currently working as technical lead for the product security team at Qualcomm. She has professional experience in software testing, Web app pen testing, and Android and iOS app pen testing. Other than information security, she also has experience in Web and mobile app development. She has created a cloud-based vulnerable Android app, called VyAPI, that demonstrates OWASP Mobile's top 10 vulnerabilities. In the past, she was leading community activities for open security communities like the null Bangalore chapter and Winja. Having an interest in capture-the-flag events, she has organized and led a team of passionate volunteers for several Winja CTF events, both, online and offline. She has given talks and training at various security conferences, including BSides (Delhi), c0c0n (Kochi), Nullcon (Goa), ISC2 (Bangalore), HITB (Abu Dhabi), Wicked6, and Texas Cyber Summit.